In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multiple out-of-bounds reads via a crafted JP2 file. Pull Request: https://github.com/python-pillow/Pillow/pull/4538 Upstream Advisory: https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html
Created python-pillow tracking bugs for this issue: Affects: fedora-31 [bug 1852821] Affects: fedora-32 [bug 1852822]
Upstream commit: https://github.com/python-pillow/Pillow/commit/ff60894d697d1992147b791101ad53a8bf1352e4
Statement: This issue did not affect the versions of python-pillow and python-imaging as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include the JP2 image parser, where the flaw lies.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10994